Databases Reference
In-Depth Information
This gives us:
If not for
useother=t
, we could simply end our query with
head 5
, which would
return the first five rows. To accomplish the "other" row, we will have to label
everything beyond row
5
with a common value, and collapse the rows using
stats
.
This will take a few steps.
First, we need to create a counter field, which we will call
rownum
:
sourcetype="impl_splunk_gen" error
| stats count by logger user
| eventstats sum(count) as totalcount
| eval percent=count/totalcount*100
| sort -count
| eval rownum=1
Search WWH ::
Custom Search